SPECIFICATION 
Please amend the last paragraph on page 8 as follows: 
The present invention facilitates flexible consolidation and correlation of 
intrusion detection information from a variety of different Intrusion Detection System 
(IDS) sensors and systems. The present invention is capable of leveraging network 
and application management platform (e.g., OVO) features to provide improved and 
effective newly deployed IDS solutions in a cost effective manner. The present 
invention also reduces resources required to coordinate and implement an effective 
enterprise network and host intrusion detection system. 

Please amend the first paragraph on page 9 as follows: 
Figure 1A is a block diagram of intrusion detection integration system 101 in 
accordance with one embodiment of the present invention. Intrusion detection 
integration-system 1 0-1 Jneludesjm^ user 
interface 109. User interface 109 permits a user to interface with intrusion detection^ 
integration console 102. User interface 109 can include a display (e.g., a [[VGA]] 
Video Graphics Array monitor, flat panel monitor, etc.) and an input/output device 
(e.g., a keyboard, mouse, etc.). Intrusion detection integration console 102 
consolidates various different types of intrusion detection information from a variety 
of different types of intrusion detection sensors and systems. 

Second w~ 1 1^2/20/0 

Please amend the JWrtJ paragraph on page 1 2 as follows: ' 

In general, UDC 100 includes a programmable infrastructure that enables the 

virtual connection of selected computing resources as well as the isolation of 

selected computing resources, thereby enabling security and segregation of 

computing resources at varying infrastructure levels. The resources included in 

UDC 100 can be dynamically programmed to logically reconfigure and "separate" 

the resources into a number of various virtual local area networks (VLANs). In one 

exemplary implementation, Network Operations Center 170 ( NOC) [[170]] includes 

server 171 coupled to a user interface 191 and a utility database 192. 

Please amend the paragraph that starts on line 25 of page 12 and ends on 
line 1 1 of page 1 3 as follows: 

Utility controller database 192 comprises configuration information pertaining 
to the various resources in UDC 100, including descriptions of the configuration, 
characteristics, and/or features of a component. For example configuration 
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attack details, and attacked victim host details. The alarm incidence response 
attribute information can include cause information (e.g., what is the root cause of 
an alert), recommended action(s) for an operator to take (or alternatively provide a 
document that explains the response strategy policy framework and provides 
actions to be taken for attacks of differing severities), automatic reactions configured 
as a response, and references to more detailed information about the alerts (e.g., 
the IDS [[GUI]] generalized user interface console specifics, or a pointer to a 
document / site that explains the attack detected). In one exemplary 
implementation, the messages use consistent message terminology. 

lira 

Please amend the paragraph that begins on page 16 of page 21 and ends on 
line 6 of page 22 as follows: 

In one embodiment of the present invention, intrusion detection method 200 
also facilitates management of detection sensors. For example, the application 
feature of an OVO platform can be used for centralized IDS sensor management in 
which an authorized operator is able to access different sensor resources. In one 
exemplary implementation, one operator is able to read an IDS configuration file, 
while another operator is able to actually re-configure the file remotely, including 
starting and stopping an IDS sensor process after the reconfiguration. In one 
exemplary implementation, a variety of techniques (e.g., [[NNM]] network node 
manager, SNMP trap handling, monitor templates, etc) can be utilized to detect a 
sensor is operating (e.g., "alive") and monitor specific performance metrics via a 
scheduled script (e.g., checking the state of the IDS sensor process, its resource 
usage, its memory usage etc). An OVO platform can also utilize a template to 
schedule work on IDS sensors (e.g., backing up the evidence logs and creating 
fresh logs). Thus, the features of an OVO platform can facilitate effective 
management of a sensor via a centralized console. In addition, centralized policies 
regarding the management issues can be uniformly enforced via these mechanisms 
(e.g., backing up evidence logs across sensors every hour across the 
infrastructure). 

Please amend the second paragraph on page 22 as follows: 
Figure 3 is a block diagram of computer system 300, one embodiment of a 
computer system on which a present invention intrusion detection central system 
can be implemented. For example, computer system 300 can be utilized to 
implement intrusion detection integration console 174 or integrated intrusion 
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detection method 200. Computer system [[350]] 300 includes communication bus 
357, processor 351, memory 352, input component 353, bulk storage component 
354 (e.g., a disk drive), network communication port [[357]] 359 and display module 
355. Communication bus 357 is coupled to central processor 351 , memory 352, 
input component 353, bulk storage component 354, network communication port 
357 and display module 355. 

liiU »^ ase amend tn f|^ ra ^P n tnat starts on ,ine ^ of P a 9 e 22 and ends on 
lipar 5 of page 23 as follows: 

The components of computer system 300 cooperatively function to provide a 

variety of functions, including performing emulation application revision in 

accordance with the present invention. Communication bus [[307]] 357 

communicates information. Processor 351 processes information and instructions, 

including instructions for coordinating security information from a plurality of different 

security intrusion attempt identification components. For example, the instructions 

include directions for integrating (e.g., consolidating and correlating) IDS 

information. Memory 352 stores information and instructions, including instructions 

for coordinating security information from a plurality of different security intrusion 

attempt identification components, including, integrated IDS information. Bulk 

storage component 354 also provides storage of information. Input component 353 

facilitates communication of information to computer system [[350]] 300. Display 

module 355 displays information to a user. Network communication port 357 

provides a communication port for communicatively coupling with a network. 



Serial No. 10/600,113 

Examiner Cervetti, David Garcia - 6 - 



Art Unit 2136 
200309309-1 



